Remove support for ephemeral/temporary RSA private keys.

The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively a standards violation) and for RSA sign-only, should only be possible if you are using an export cipher and have an RSA private key that is more than 512 bits in size (however we no longer support export ciphers). ok bcook@ miod@
author: jsing <> 2014-10-31 14:51:01 +0000
committer: jsing <> 2014-10-31 14:51:01 +0000
commit: 911a534951a7133a0e7f2314d3a57682c584c2f7 (patch)
tree: cbc34cc64480c58a9e6b221bf4a12687fac6fd93 /src/lib/libssl/s3_srvr.c
parent: 21b4fa8d2a511b2b7e7215bb18cb3836173fb390 (diff)
download: openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.gz
openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.bz2
openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.zip
1 files changed, 14 insertions, 80 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 719b4c56c1..1b97895f76 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -392,37 +392,14 @@ ssl3_accept(SSL *s)
                        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
                        /*
-                         * Clear this, it may get reset by
+                         * Only send if using a DH key exchange.
-                         * send_server_key_exchange.
-                         */
-                        if ((s->options & SSL_OP_EPHEMERAL_RSA)
-                            )
-                                /*
-                                 * option SSL_OP_EPHEMERAL_RSA sends temporary
-                                 * RSA key even when forbidden by protocol
-                                 * specs (handshake may fail as clients are
-                                 * not required to be able to handle this)
-                                 */
-                                s->s3->tmp.use_rsa_tmp = 1;
-                        else
-                                s->s3->tmp.use_rsa_tmp = 0;
-                        /*
-                         * Only send if a DH key exchange, fortezza or
-                         * RSA but we have a sign only certificate.
                         *
-                         * For ECC ciphersuites, we send a serverKeyExchange
+                         * For ECC ciphersuites, we send a ServerKeyExchange
-                         * message only if the cipher suite is either
+                         * message only if the cipher suite is ECDHE. In other
-                         * ECDH-anon or ECDHE. In other cases, the
+                         * cases, the server certificate contains the server's
-                         * server certificate contains the server's
                         * public key for key exchange.
                         */
-                        if (s->s3->tmp.use_rsa_tmp ||
+                        if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
-                            (alg_k & (SSL_kDHE|SSL_kECDHE)) ||
-                            ((alg_k & SSL_kRSA) &&
-                             (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
-                             NULL))) {
                                ret = ssl3_send_server_key_exchange(s);
                                if (ret <= 0)
                                        goto end;
@@ -1352,7 +1329,6 @@ ssl3_send_server_key_exchange(SSL *s)
 {
        unsigned char *q;
        int j, num;
-        RSA *rsa;
        unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
        unsigned int u;
        DH *dh = NULL, *dhp;
@@ -1383,31 +1359,6 @@ ssl3_send_server_key_exchange(SSL *s)
                r[0] = r[1] = r[2] = r[3] = NULL;
                n = 0;
-                if (type & SSL_kRSA) {
-                        rsa = cert->rsa_tmp;
-                        if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
-                                rsa = s->cert->rsa_tmp_cb(s, 0,
-                                    SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
-                                if (rsa == NULL) {
-                                        al = SSL_AD_HANDSHAKE_FAILURE;
-                                        SSLerr(
-                                            SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                            SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
-                                        goto f_err;
-                                }
-                                RSA_up_ref(rsa);
-                                cert->rsa_tmp = rsa;
-                        }
-                        if (rsa == NULL) {
-                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                    SSL_R_MISSING_TMP_RSA_KEY);
-                                goto f_err;
-                        }
-                        r[0] = rsa->n;
-                        r[1] = rsa->e;
-                        s->s3->tmp.use_rsa_tmp = 1;
-                } else
                if (type & SSL_kDHE) {
                        dhp = cert->dh_tmp;
                        if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1855,32 +1806,15 @@ ssl3_get_client_key_exchange(SSL *s)
        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        if (alg_k & SSL_kRSA) {
-                /* FIX THIS UP EAY EAY EAY EAY */
+                pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
-                if (s->s3->tmp.use_rsa_tmp) {
+                if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
-                        if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
+                    (pkey->pkey.rsa == NULL)) {
-                                rsa = s->cert->rsa_tmp;
+                        al = SSL_AD_HANDSHAKE_FAILURE;
-                        /*
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                         * Don't do a callback because rsa_tmp should
+                            SSL_R_MISSING_RSA_CERTIFICATE);
-                         * be sent already
+                        goto f_err;
-                         */
-                        if (rsa == NULL) {
-                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                    SSL_R_MISSING_TMP_RSA_PKEY);
-                                goto f_err;
-                        }
-                } else {
-                        pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
-                        if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
-                            (pkey->pkey.rsa == NULL)) {
-                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                    SSL_R_MISSING_RSA_CERTIFICATE);
-                                goto f_err;
-                        }
-                        rsa = pkey->pkey.rsa;
                }
+                rsa = pkey->pkey.rsa;
                /* TLS and [incidentally] DTLS{0xFEFF} */
                if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
author	jsing <>	2014-10-31 14:51:01 +0000
committer	jsing <>	2014-10-31 14:51:01 +0000
commit	911a534951a7133a0e7f2314d3a57682c584c2f7 (patch)
tree	cbc34cc64480c58a9e6b221bf4a12687fac6fd93 /src/lib/libssl/s3_srvr.c
parent	21b4fa8d2a511b2b7e7215bb18cb3836173fb390 (diff)
download	openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.gz openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.tar.bz2 openbsd-911a534951a7133a0e7f2314d3a57682c584c2f7.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 719b4c56c1..1b97895f76 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */	1	/* $OpenBSD: s3_srvr.c,v 1.88 2014/10/31 14:51:01 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -392,37 +392,14 @@ ssl3_accept(SSL *s)
392	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;	392	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
393		393
394	/*	394	/*
395	* Clear this, it may get reset by	395	* Only send if using a DH key exchange.
396	* send_server_key_exchange.
397	*/
398	if ((s->options & SSL_OP_EPHEMERAL_RSA)
399	)
400	/*
401	* option SSL_OP_EPHEMERAL_RSA sends temporary
402	* RSA key even when forbidden by protocol
403	* specs (handshake may fail as clients are
404	* not required to be able to handle this)
405	*/
406	s->s3->tmp.use_rsa_tmp = 1;
407	else
408	s->s3->tmp.use_rsa_tmp = 0;
409
410
411	/*
412	* Only send if a DH key exchange, fortezza or
413	* RSA but we have a sign only certificate.
414	*	396	*
415	* For ECC ciphersuites, we send a serverKeyExchange	397	* For ECC ciphersuites, we send a ServerKeyExchange
416	* message only if the cipher suite is either	398	* message only if the cipher suite is ECDHE. In other
417	* ECDH-anon or ECDHE. In other cases, the	399	* cases, the server certificate contains the server's
418	* server certificate contains the server's
419	* public key for key exchange.	400	* public key for key exchange.
420	*/	401	*/
421	if (s->s3->tmp.use_rsa_tmp \|\|	402	if (alg_k & (SSL_kDHE\|SSL_kECDHE)) {
422	(alg_k & (SSL_kDHE\|SSL_kECDHE)) \|\|
423	((alg_k & SSL_kRSA) &&
424	(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey ==
425	NULL))) {
426	ret = ssl3_send_server_key_exchange(s);	403	ret = ssl3_send_server_key_exchange(s);
427	if (ret <= 0)	404	if (ret <= 0)
428	goto end;	405	goto end;
@@ -1352,7 +1329,6 @@ ssl3_send_server_key_exchange(SSL *s)
1352	{	1329	{
1353	unsigned char *q;	1330	unsigned char *q;
1354	int j, num;	1331	int j, num;
1355	RSA *rsa;
1356	unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];	1332	unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1357	unsigned int u;	1333	unsigned int u;
1358	DH dh = NULL, dhp;	1334	DH dh = NULL, dhp;
@@ -1383,31 +1359,6 @@ ssl3_send_server_key_exchange(SSL *s)
1383		1359
1384	r[0] = r[1] = r[2] = r[3] = NULL;	1360	r[0] = r[1] = r[2] = r[3] = NULL;
1385	n = 0;	1361	n = 0;
1386	if (type & SSL_kRSA) {
1387	rsa = cert->rsa_tmp;
1388	if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1389	rsa = s->cert->rsa_tmp_cb(s, 0,
1390	SSL_C_PKEYLENGTH(s->s3->tmp.new_cipher));
1391	if (rsa == NULL) {
1392	al = SSL_AD_HANDSHAKE_FAILURE;
1393	SSLerr(
1394	SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1395	SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1396	goto f_err;
1397	}
1398	RSA_up_ref(rsa);
1399	cert->rsa_tmp = rsa;
1400	}
1401	if (rsa == NULL) {
1402	al = SSL_AD_HANDSHAKE_FAILURE;
1403	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
1404	SSL_R_MISSING_TMP_RSA_KEY);
1405	goto f_err;
1406	}
1407	r[0] = rsa->n;
1408	r[1] = rsa->e;
1409	s->s3->tmp.use_rsa_tmp = 1;
1410	} else
1411	if (type & SSL_kDHE) {	1362	if (type & SSL_kDHE) {
1412	dhp = cert->dh_tmp;	1363	dhp = cert->dh_tmp;
1413	if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))	1364	if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
@@ -1855,32 +1806,15 @@ ssl3_get_client_key_exchange(SSL *s)
1855	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;	1806	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1856		1807
1857	if (alg_k & SSL_kRSA) {	1808	if (alg_k & SSL_kRSA) {
1858	/* FIX THIS UP EAY EAY EAY EAY */	1809	pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1859	if (s->s3->tmp.use_rsa_tmp) {	1810	if ((pkey == NULL) \|\| (pkey->type != EVP_PKEY_RSA) \|\|
1860	if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))	1811	(pkey->pkey.rsa == NULL)) {
1861	rsa = s->cert->rsa_tmp;	1812	al = SSL_AD_HANDSHAKE_FAILURE;
1862	/*	1813	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1863	* Don't do a callback because rsa_tmp should	1814	SSL_R_MISSING_RSA_CERTIFICATE);
1864	* be sent already	1815	goto f_err;
1865	*/
1866	if (rsa == NULL) {
1867	al = SSL_AD_HANDSHAKE_FAILURE;
1868	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1869	SSL_R_MISSING_TMP_RSA_PKEY);
1870	goto f_err;
1871
1872	}
1873	} else {
1874	pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
1875	if ((pkey == NULL) \|\| (pkey->type != EVP_PKEY_RSA) \|\|
1876	(pkey->pkey.rsa == NULL)) {
1877	al = SSL_AD_HANDSHAKE_FAILURE;
1878	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
1879	SSL_R_MISSING_RSA_CERTIFICATE);
1880	goto f_err;
1881	}
1882	rsa = pkey->pkey.rsa;
1883	}	1816	}
		1817	rsa = pkey->pkey.rsa;
1884		1818
1885	/* TLS and [incidentally] DTLS{0xFEFF} */	1819	/* TLS and [incidentally] DTLS{0xFEFF} */
1886	if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {	1820	if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {